New PAM code landing (at last)

James Williamson james at nameonthe.net
Sat May 10 20:37:55 EST 2003 

----- Original Message -----
From: "Damien Miller" <djm at mindrot.org>
> Hello all,
>
> The long-mooted PAM merge from FreeBSD is starting _now_. This replaces
> the PAM password auth kludge that we have used until now with a discrete
> challenge-response module. This module is invoked via
> keyboard-interactive for protocol 2 or TIS auth for protocol 1.
>
> Warning: this is a large change and will probably break things. It has
> only been tested with basic password auth modules and not at all (by me)
> on non-Linux systems (I put out test requests on snapshots of this, but
> nobody responded...) On the other hand, this code has been shipping and
> working in FreeBSD for a while.
>
> For those interested, this is pretty much exactly what is in FreeBSD's
> tree, with a few s/pam_xxx/sshpam_xxx/ substitutions. These are to avoid
> potential namespace clashes against the PAM library itself. I have no
> idea whether there are any such conflicts in the symbols in auth-pam.c,
> but we made a similar change in the old auth-pam.c quite a while ago at
> the request of someone at Sun.
>
> Also note that we do not enable and have no intention of enabling the
> thread support - we don't want the complexity of theads in the monitor.
> The code is still there at the moment (#ifdef'd out), but will likely
> disappear from our tree in the future. I'll try to remove it in such a
> way that the FreeBSD developers don't end up in #ifdef hell putting it
> back in their tree.
>
> The repository will be tagged with BEFORE_FREEBSD_PAM_MERGE and
> AFTER_FREEBSD_PAM_MERGE tags to make diffing / reverting easier.
>
> We are a long way from the next release, so we have plenty of time to
> make this work properly. Doing this will require a lot of testing, so I
> encourage everyone on a PAM system to try out the new code and report
> back ASAP.
>

Are there any plans to fix the "PAM needs to run as root in the session
stage"
as raised by me a few weeks ago.
I know this is incredibly useful for ISPs who want to chroot people
who login (as we do). I'm no expert on PAM and I understand the security
implications but surely as someone mentioned earlier support for PAM is
effectively
broken without this.

Regards,

James Williamson
www.nameonthe.net
Tel: +44 208 7415453
Fax: + 44 208 7411615

More information about the openssh-unix-dev mailing list